Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
In some use cases part of a Mesos cluster could be reserved for certain frameworks/roles. A common approach is to use static reservation so the resources of an agent are only offered to frameworks of the designated roles. However without proper authorization any (compromised) agent can register with these special roles and accept workload from these frameworks.
We can enhance the RegisterAgent ACL to express: agent principal foo is allowed to register with static reservation roles bar, baz; no other principals are allowed to register with static reservation roles bar, baz.